Post Syndicated from original https://lwn.net/Articles/847735/rss
Version
3.2.0 of the fish shell has been released. New features include undo
and redo support (for command-line editing, not commands!) and a long list
of incremental improvements; see the announcement for details. LWN last looked at the fish shell in September.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/03/national-security-risks-of-late-stage-capitalism.html
Early in 2020, cyberspace attackers apparently working for the Russian government compromised a piece of widely used network management software made by a company called SolarWinds. The hack gave the attackers access to the computer networks of some 18,000 of SolarWinds’s customers, including US government agencies such as the Homeland Security Department and State Department, American nuclear research labs, government contractors, IT companies and nongovernmental agencies around the world.
It was a huge attack, with major implications for US national security. The Senate Intelligence Committee is scheduled to hold a hearing on the breach on Tuesday. Who is at fault?
The US government deserves considerable blame, of course, for its inadequate cyberdefense. But to see the problem only as a technical shortcoming is to miss the bigger picture. The modern market economy, which aggressively rewards corporations for short-term profits and aggressive cost-cutting, is also part of the problem: Its incentive structure all but ensures that successful tech companies will end up selling insecure products and services.
Like all for-profit corporations, SolarWinds aims to increase shareholder value by minimizing costs and maximizing profit. The company is owned in large part by Silver Lake and Thoma Bravo, private-equity firms known for extreme cost-cutting.
SolarWinds certainly seems to have underspent on security. The company outsourced much of its software engineering to cheaper programmers overseas, even though that typically increases the risk of security vulnerabilities. For a while, in 2019, the update server’s password for SolarWinds’s network management software was reported to be “solarwinds123.” Russian hackers were able to breach SolarWinds’s own email system and lurk there for months. Chinese hackers appear to have exploited a separate vulnerability in the company’s products to break into US government computers. A cybersecurity adviser for the company said that he quit after his recommendations to strengthen security were ignored.
There is no good reason to underspend on security other than to save money — especially when your clients include government agencies around the world and when the technology experts that you pay to advise you are telling you to do more.
As the economics writer Matt Stoller has suggested, cybersecurity is a natural area for a technology company to cut costs because its customers won’t notice unless they are hacked – and if they are, they will have already paid for the product. In other words, the risk of a cyberattack can be transferred to the customers. Doesn’t this strategy jeopardize the possibility of long-term, repeat customers? Sure, there’s a danger there – but investors are so focused on short-term gains that they’re too often willing to take that risk.
The market loves to reward corporations for risk-taking when those risks are largely borne by other parties, like taxpayers. This is known as “privatizing profits and socializing losses.” Standard examples include companies that are deemed “too big to fail,” which means that society as a whole pays for their bad luck or poor business decisions. When national security is compromised by high-flying technology companies that fob off cybersecurity risks onto their customers, something similar is at work.
Similar misaligned incentives affect your everyday cybersecurity, too. Your smartphone is vulnerable to something called SIM-swap fraud because phone companies want to make it easy for you to frequently get a new phone — and they know that the cost of fraud is largely borne by customers. Data brokers and credit bureaus that collect, use, and sell your personal data don’t spend a lot of money securing it because it’s your problem if someone hacks them and steals it. Social media companies too easily let hate speech and misinformation flourish on their platforms because it’s expensive and complicated to remove it, and they don’t suffer the immediate costs – indeed, they tend to profit from user engagement regardless of its nature.
There are two problems to solve. The first is information asymmetry: buyers can’t adequately judge the security of software products or company practices. The second is a perverse incentive structure: the market encourages companies to make decisions in their private interest, even if that imperils the broader interests of society. Together these two problems result in companies that save money by taking on greater risk and then pass off that risk to the rest of us, as individuals and as a nation.
The only way to force companies to provide safety and security features for customers and users is with government intervention. Companies need to pay the true costs of their insecurities, through a combination of laws, regulations, and legal liability. Governments routinely legislate safety — pollution standards, automobile seat belts, lead-free gasoline, food service regulations. We need to do the same with cybersecurity: the federal government should set minimum security standards for software and software development.
In today’s underregulated markets, it’s just too easy for software companies like SolarWinds to save money by skimping on security and to hope for the best. That’s a rational decision in today’s free-market world, and the only way to change that is to change the economic incentives.
This essay previously appeared in the New York Times.
Post Syndicated from Abe Carryl original https://blog.cloudflare.com/the-teams-dashboard-behind-the-scenes/
Back in 2010, Cloudflare was introduced at TechCrunch Disrupt as a security and performance solution that took the tools of the biggest service providers and made them available to anyone online. But simply replicating these tools wasn’t enough — we needed to make them ridiculously easy to use.
When we launched Cloudflare for Teams almost ten years later, the vision was very much the same — build a secure and powerful Zero Trust solution that is ridiculously easy to use. However, while we talk about what we’re building with a regular cadence, we often gloss over how we are designing Cloudflare for Teams to make it simple and easy to use.
In this blog post we’ll do just that — if that sounds like your jam, keep scrolling.
First, let’s back up a bit and introduce Cloudflare for Teams.
We launched Cloudflare for Teams in January, 2020. With Teams, we wanted to alleviate the burden Cloudflare customers were feeling when trying to protect themselves and their infrastructure from threats online. We knew that continuing to rely on expensive hardware would be difficult to maintain and impractical to scale.
At its core, Teams joins two products together — Access and Gateway. On the one hand, Access acts as a bouncer at the door of all your applications, checking the identity of everyone who wants in. It’s a Zero Trust solution that secures inbound connections. On the other hand, Gateway is a Secure Web Gateway solution that acts as your organization’s bodyguard — it secures your users as they set out to navigate the Internet.
Over the past year, we’ve been rapidly shipping features to help our customers face the new and daunting challenges 2020 brought around. However, that velocity often took a toll on the intentionality of how we design the Teams Dashboard, and resulted in a myriad of unintended consequences. This is often referred to as a “Feature Shop” dilemma, where Product and Design only think about what they’re building and become too resource-constrained to consider why they’re building it.
In an interface, this pattern often manifests itself through siloed functionality and fractured experiences. And admittedly, when we first began building the Teams Dashboard, many of our experiences felt this way. Users were able to take singular features from inception to fruition, but were limited in their ability to thread these experiences together in a seamless fashion across the Dashboard.
Here’s an example. In the early days of Cloudflare for Teams, we wanted to provide users with a single pane of glass to manage their security policies. In order to do so, users would need to onboard to both Access and Gateway. Only one problem, we didn’t have an onboarding pathway for Cloudflare Access. The obvious question became “What do we need?”. Inherently, the answer was an onboarding flow for Cloudflare Access.
Just like that, we were off to the races.
In retrospect, what we should have been asking instead was “Why do users need onboarding flow?” By focusing on what, we polluted our own ability to build the right solution for this problem. Instead of providing a seamless entryway to our dashboard, we created a fork-in-the-road decision point and siloed our customers into two separate paths that did not make it easy for them to approach our dashboard.
From an experiential perspective, we later equated this to inviting our users to a party. We give them an address, but when they show up at the doorstep, they realize the house is actually a duplex. Which doorbell are they supposed to ring? Where’s the party? What will they find if they walk into the wrong unit?
That’s where Design fits in. Our design team is hyper-obsessed with asking why. Why are we throwing a party? Why should anyone come? Why should they stay? By challenging our team to lead with design, we take a questioning attitude to each of the features we contemplate building. With this approach, we do not assume a feature is valuable, intuitive, or even required. We assume nothing.
During our “Feature Shop” days, we had a bad habit of providing “bad mockups” or outlining a solution for Design to prototype. This is often referred to as “solution pollution”. For example, if I tell you I need a fast car, you’re probably going to start designing a car. However, if instead I tell you I need to get from point A to point B as quick as possible, you may end up designing a bike, scooter, car, or something entirely new and novel. Design thrives in this balance.
Now, we begin at the beginning and gather contextual data which drove us toward a given feature hypothesis. Together, Product and Design then research the problem alongside the users it may impact. More importantly, once the problem space has been validated, we partner on the solution itself.
With this new approach in mind, we revisited our onboarding experience, and this time, the solution we arrived at was quite different from our initial prototypes. Instead of creating two divergent pathways we now proposed a single Cloudflare for Teams onboarding flow. This solved the duplex problem.
This flow prioritized two key elements; preparing users for success and emphasizing time-to-value. During initial research, Design was able to identify that users often felt overwhelmed and underprepared for the configuration required during an early onboarding. Additionally, due to this sentiment, users failed to reach an initial “Aha!” moment until much later than anticipated in their user journey. To address these concerns, we truncated the onboarding process to just three simple steps:
As simple as that. Then, we created a Quick Start guide which users land on after onboarding. Let’s call this our inboarding flow. Next, we created a variety of “Starter Packs” within the guide which automate much the laborious configuration for users so they can start realizing value from Cloudflare for Teams almost instantly:
Moving forward, we will continue to expand on the Quick Start guide adding more robust starter packs and enhancing the opportunities for continuous learning. We’re also looking to incorporate intelligent recommendations based on your environment. We’ll also be releasing other improvements this quarter which apply the same underlying concepts found in our Quick Start guide to other areas of the UI such as our Empty States and Overview pages.
Perhaps most importantly, by leading with Design we’re able to foster healthy debate early and often for the products and features we consider releasing within the UI. These relationships drive us to map risks to controls and force us to build with care and intentionality. After all, we all have the same mission: to help build a better Internet.
If you’re interested in learning more about the Cloudflare for Teams design lifecycle, stay tuned. We have three upcoming blog releases which will walk you through our product content strategy, our design vision, and an exciting new feature release where you can see this partnership in action.
Post Syndicated from Helen Drury original https://www.raspberrypi.org/blog/how-young-people-can-create-with-tech-coolest-projects-2021/
In our free Coolest Projects online showcase, we invite a worldwide community of young people to come together and celebrate what they’ve built with technology. For this year’s showcase, we’ve already got young tech creators from more than 35 countries registered, including from India, Ireland, UK, USA, Australia, Serbia, Japan, and Syria!
Everyone up to age 18 can register for Coolest Projects to become part of this community with their own tech creation. We welcome all projects, all experience levels, and all kinds of projects, from the very first Scratch animation to a robot with machine learning capacity! The beauty of Coolest Projects is in the diversity of what the young tech creators make.
Young people can register projects in six categories: Hardware, Scratch, Mobile Apps, Websites, Games, and Advanced Programming. Projects need to be fully registered by Monday 3 May 2021, but they don’t need to be finished then — at Coolest Projects we celebrate works in progress just as much as finished creations!
To learn more about the registration process, watch the video below or read our guide on how to register.
Here are the different ways we’re supporting your young people — and you — with project creation!
Download the free Coolest Projects workbook that walks young people through the whole creation process, from finding a topic or problem they want to address, to idea brainstorming, to testing their project:
Explore more than 200 free, step-by-step project guides for learning coding and digital making skills that your young people can use to find help and inspiration! For more ideas on what your young people can make for Coolest Projects, have a look around last year’s online showcase gallery.
This Wednesday 3 March at 19:00 GMT / 14:00 ET, young people can join a special Digital Making at Home live stream about capturing ideas for projects. We’ll share practical tips and inspiration to help them get started with building a Coolest Projects creation:
On Tuesday 23 March, 16:00 GMT / 11:00 ET, young people can join the Coolest Projects team on a live stream to talk to them about all things Coolest Projects and ask all their questions! Subscribe to our YouTube channel and turn on notifications to be reminded about this live stream.
Join our free online workshops where you as an educator or parent can learn how to best support young people to take part:
Getting creative with technology is truly empowering for young people, and anything your young people want to create will be celebrated by us and the whole Coolest Projects community. We’re so excited to see their projects, and we can’t wait to celebrate all together at our big live stream celebration event in June! Don’t let your young people miss their chance to be part of the fun.
The post How your young people can create with tech for Coolest Projects 2021 appeared first on Raspberry Pi.
Post Syndicated from original https://bivol.bg/openluxkasket.html
“Openlux” беше поредният пас за воле. Пас, който шепата наистина разследващи журналисти в България подадоха по конец към институциите. Ако си позволя да използвам метафора и да оприлича родната Прокуратура…
Post Syndicated from LastWeekTonight original https://www.youtube.com/watch?v=WYdi1bL6s10
Post Syndicated from Explosm.net original http://explosm.net/comics/5807/
New Cyanide and Happiness Comic
Post Syndicated from original https://lwn.net/Articles/847707/rss
Linus Torvalds has released 5.12-rc1
(codename now “Frozen wasteland”) and
closed the merge window despite getting a late start due to bad weather:
So I was actually without electricity for six days of the merge
window, and was seriously considering just extending the merge
window to get everything done.As you can tell, I didn’t do that. To a large part because people
were actually very good about sending in their pull requests, so by
the time I finally got power back, everything was nicely lined up
and I got things merged up ok.But partly this is also because 5.12 is a smaller release than some
previous ones.
Post Syndicated from original https://blog.erratasec.com/2021/02/we-are-living-in-1984-eternalblue.html
In the book 1984, the protagonist questions his sanity, because his memory differs from what appears to be everybody else’s memory.
The Party said that Oceania had never been in alliance with Eurasia. He, Winston Smith, knew that Oceania had been in alliance with Eurasia as short a time as four years ago. But where did that knowledge exist? Only in his own consciousness, which in any case must soon be annihilated. And if all others accepted the lie which the Party imposed—if all records told the same tale—then the lie passed into history and became truth. ‘Who controls the past,’ ran the Party slogan, ‘controls the future: who controls the present controls the past.’ And yet the past, though of its nature alterable, never had been altered. Whatever was true now was true from everlasting to everlasting. It was quite simple. All that was needed was an unending series of victories over your own memory. ‘Reality control’, they called it: in Newspeak, ‘doublethink’.
I know that EternalBlue didn’t cause the Baltimore ransomware attack. When the attack happened, the entire cybersecurity community agreed that EternalBlue wasn’t responsible.
But this New York Times article said otherwise, blaming the Baltimore attack on EternalBlue. And there are hundreds of other news articles [eg] that agree, citing the New York Times. There are no news articles that dispute this.
In a recent book, the author of that article admits it’s not true, that EternalBlue didn’t cause the ransomware to spread. But they defend themselves as it being essentially true, that EternalBlue is responsible for a lot of bad things, even if technically, not in this case. Such errors are justified, on the grounds they are generalizations and simplifications needed for the mass audience.
So we are left with the situation Orwell describes: all records tell the same tale — when the lie passes into history, it becomes the truth.
Orwell continues:
He wondered, as he had many times wondered before, whether he himself was a lunatic. Perhaps a lunatic was simply a minority of one. At one time it had been a sign of madness to believe that the earth goes round the sun; today, to believe that the past is inalterable. He might be ALONE in holding that belief, and if alone, then a lunatic. But the thought of being a lunatic did not greatly trouble him: the horror was that he might also be wrong.
I’m definitely a lunatic, alone in my beliefs. I sure hope I’m not wrong.
Update: Other lunatics document their struggles with Minitrue:
When I was investigating the TJX breach, there were NYT articles citing unnamed sources that were made up & then outlets would publish citing the NYT. The TJX lawyers would require us to disprove the articles. Each time we would. It was maddening fighting lies for 8 months.
— Nicholas J. Percoco (@c7five) March 1, 2021
Post Syndicated from original https://xkcd.com/2431/
Post Syndicated from digiblurDIY original https://www.youtube.com/watch?v=fxwWL7bcgdY
Post Syndicated from BeardedTinker original https://www.youtube.com/watch?v=bnUw92Xvw-s
Post Syndicated from Talks at Google original https://www.youtube.com/watch?v=YXIeQxIrntQ
Post Syndicated from Explosm.net original http://explosm.net/comics/5808/
New Cyanide and Happiness Comic
Post Syndicated from Oglaf! -- Comics. Often dirty. original https://www.oglaf.com/distant-light/
Post Syndicated from original http://www.gatchev.info/blog/?p=2347
Администраст
Бюрокраста
Възмутант
Гафоризъм
Долновиден
Езиковад
Журнализец
Злоупотребност
Икономистика
Канцеларогенен
Литератруп
Маймунистър
Некадържавник
Обезобразование
Политиквен
Рецензура
Скандалновиден
Топлофикция
Управгустейши
Футуролъг
Херостратег
Ценоразпас
Чукундуравенство
Шантавангард
Ювелирика
Ядоволствие
Не, тези думи-афоризми не са дело на Радой Ралин. Спор няма – вдъхновени са от неговото „властитутка“. Но част от тях са общонародно творчество, а повечето – дело на писателя и фантастолог Атанас П. Славов. Можете да ги откриете в първата част на неговата нова книга „Полуречник по инженервно язъкознание“. Заедно с още много други – и заедно с веселите илюстрации на Калин Николов, които случайно или не напомнят прочутите илюстрации на Борис Димовски към „Лютите чушки“.
Когато пускам представяне на някоя нова книжка, често хваля автора ѝ. Нищо странно – просто си давам този труд за неща, които са ми харесали. Наско Славов обаче няма нужда от хвалене. Примерите по-горе казват повече, отколкото аз бих могъл.
Благодаря ти от сърце за афористиката, Наско! И продължавай все така да афоресваш заслужилите го глупотевици. Те заслужават смехотворността им да бъде вадена на показ пред всички. Току-виж всички прогледнат за нея!
Post Syndicated from Techmoan original https://www.youtube.com/watch?v=4-nNEUBCvds
Post Syndicated from Matt Granger original https://www.youtube.com/watch?v=z4UY4q4Y0dU
Post Syndicated from Explosm.net original http://explosm.net/comics/5804/
New Cyanide and Happiness Comic
Post Syndicated from original https://blog.erratasec.com/2021/02/review-perlroths-book-on-cyberarms.html
New York Times reporter Nicole Perlroth has written a book on zero-days and nation-state hacking entitled “This Is How They Tell Me The World Ends”. Here is my review.
I’m not sure what the book intends to be. The blurbs from the publisher implies a work of investigative journalism, in which case it’s full of unforgivable factual errors. However, it reads more like a memoir, in which case errors are to be expected/forgivable, with content often from memory rather than rigorously fact checked notes.
But even with this more lenient interpretation, there are important flaws that should be pointed out. For example, the book claims the Saudi’s hacked Bezos with a zero-day. I claim that’s bunk. The book claims zero-days are “God mode” compared to other hacking techniques, I claim they are no better than the alternatives, usually worse, and rarely used.
But I can’t really list all the things I disagree with. It’s no use. She’s a New York Times reporter, impervious to disagreement.
If this were written by a tech journalist, then criticism would be the expected norm. Tech is full of factual truths, such as whether 2+2=5, where it’s possible for a thing to be conclusively known. All journalists make errors — tech journalists are constantly making small revisions correcting their errors after publication.
The best example of this is Ars Technica. They pride themselves on their reader forums, where readers comment, opine, criticize, and correct stories. Sometimes readers add more interesting information to the story, providing free content to other readers. Sometimes they fix errors.
It’s often unpleasant for the journalists who steel themselves after hitting “Submit…”. They have a lot of practice defending or correcting every assertion they make, from both legitimate and illegitimate criticism. This makes them astoundingly good journalists — mistakes editors miss readers don’t. They get trained fast to deal with criticism.
The mainstream press doesn’t have this tradition. To be fair, it couldn’t. Tech forums have techies with knowledge and experience, while the mainstream press has ignorant readers with opinions. Regardless of the story’s original content it’ll devolve into people arguing about whether Epstein was murdered (for example).
Nicole Perlroth is a mainstream reporter on a techy beat. So you see a conflict here between the expectation both sides have for each other. Techies expect a tech journalist who’ll respond to factual errors, she doesn’t expect all this criticism. She doesn’t see techie critics for what they are — subject matter experts that would be useful sources to make her stories better. She sees them as enemies that must be ignored. This makes her stories sloppy by technical standards. I hate that this sounds like a personal attack when it’s really more a NYTimes problem — most of their cyber stories struggle with technical details, regardless of author.
This problem is made worse by the fact that the New York Times doesn’t have “news stories” so much as “narratives”. They don’t have neutral stories reporting what happened, but narratives explaining a larger point.
A good example is this story that blames the Baltimore ransomware attack on the NSA’s EternalBlue. The narrative is that EternalBlue is to blame for damage all over the place, and it uses the Baltimore ransomware as an example. However, EternalBlue wasn’t responsible for that particular ransomware — as techies point out.
Perlroth doesn’t fix the story. In her book, she instead criticizes techies for focusing on “the technical detail that in this particular case, the ransomware attack had not spread with EternalBlue”, and that techies don’t acknowledge “the wreckage from EternalBlue in towns and cities across the country”.
It’s a bizarre response from a journalist, refusing to fix a falsehood in a story because the rest of the narrative is true.
Some of the book is correct, telling you some real details about the zero-day market. I can’t say it won’t be useful to some readers, though the useful bits are buried in a lot of non-useful stuff. But most of the book is wrong about the zero-day market, a slave to the narrative that zero-days are going to end the world. I mean, I should say, I disagree with the narrative and her political policy ideas — I guess it’s up to you to decide for yourself if it’s “wrong”. Apart from inaccuracies, a lot is missing — for example, you really can’t understand what a “zero-day” is without also understanding the 40 year history of vuln-disclosure.
I could go on a long spree of corrections, and others have their own long list of inaccuracies, but there’s really no point. She’s already defended her book as being more of a memoir than a work of journalistic integrity, so her subjective point of view is what it’s about, not facts. Her fundamental narrative of the Big Bad Cyberarms Market is a political one, so any discussion of accuracy will be in service of political sides rather than the side of truth.
Moreover, she’ll just attack me for my “bruised male ego”, as she has already done to other expert critics.
By continuing to use the site, you agree to the use of cookies. more information
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.
